Wired Intelligent Edge

Dear all,

 

whats the best practice to remove all AAA config from a profile.

the NO command for the authenticon ( mac/authenticator works) pure functional works but i can remove the following settings 

• aaa port-access authenticator tx-period 10
  aaa port-access authenticator supplicant-timeout 10
  aaa port-access authenticator client-limit 10
  aaa port-access mac-based addr-limit 10

Thanks

 

 

 

 

#2930F

For some of the commands on ArubaOS switches, you will need to configure them to the default value in order to disappear. The configuration will show only values that have changed from the default. Example for your case:

sw01(config)# aaa port-access authenticator 5 tx-period 10
sw01(config)# aaa port-access authenticator 5 supplicant-timeout 10
sw01(config)# aaa port-access authenticator 5 client-limit 10
sw01(config)# aaa port-access mac-based 5 addr-limit 10
sw01(config)# show running-config interface 5

Running configuration:

interface 5
   untagged vlan 6
   aaa port-access authenticator tx-period 10
   aaa port-access authenticator supplicant-timeout 10
   aaa port-access authenticator client-limit 10
   aaa port-access mac-based addr-limit 10
   exit

sw01(config)# aaa port-access authenticator 5 tx-period 30
sw01(config)# aaa port-access authenticator 5 supplicant-timeout 30
sw01(config)# no aaa port-access authenticator 5 client-limit
sw01(config)# aaa port-access mac-based 5 addr-limit 1
sw01(config)# show running-config interface 5

Running configuration:

interface 5
   untagged vlan 6
   exit

You can look up the default in the Security Access Guide from the ArubaOS switch configuration.

We partially scripted it and just use this as a template:

 

no aaa port-access xxx mixed
no aaa port-access mac-based xxx
no aaa port-access authenticator xxx client-limit
no aaa port-access authenticator xxx
no port-security xxx
no spanning-tree xxx root-guard bpdu-protection
int xxx
name "xxx"
untagged vlan xx
ip source-lockdown
disable
enable
exit

 

TBB

Hi,

How can I remove this command : aaa port-access 5 controlled-direction in ?

------------------------------
Glepers
------------------------------

Original Message:
Sent: Nov 08, 2019 11:27 AM
From: Phil M
Subject: Remove All AAA Config From a Port

We partially scripted it and just use this as a template:

 

no aaa port-access xxx mixed
no aaa port-access mac-based xxx
no aaa port-access authenticator xxx client-limit
no aaa port-access authenticator xxx
no port-security xxx
no spanning-tree xxx root-guard bpdu-protection
int xxx
name "xxx"
untagged vlan xx
ip source-lockdown
disable
enable
exit

 

TBB

Hello,

Since the default setting for controlled-direction is "both", you can remove this line from the running config by setting it to both. However you should keep in mind that this setting can only be changed if the port still has authentication enabled on it. If the authentication was already removed the change will fail with the error "Port is not configured with any Authentication."

Here an example

 

Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction in

Aruba-Stack-3810M(config)# show run int 1/1

 

Running configuration:

 

interface 1/1

   untagged vlan 1

   aaa port-access mac-based

   aaa port-access controlled-direction in

   exit

 

Aruba-Stack-3810M(config)#

Aruba-Stack-3810M(config)# no aaa port-access mac-based 1/1

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

Port 1/1 is not configured with any Authentication.

 

You should first set the controlled direction to both and after that remove authentication from the port.  Here I am re-enabling mac-based authentication on the port

Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

And then I am able to set the controlled direction to the default setting of both and remove authentication.

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

Aruba-Stack-3810M(config)# no aaa port-ac mac-based 1/1

Now the command is accepted and the port has the default configuration.

Aruba-Stack-3810M(config)# show run int 1/1

 

Running configuration:

 

interface 1/1

   untagged vlan 1

   exit

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Oct 12, 2021 07:58 AM
From: geoffrey Lepers
Subject: Remove All AAA Config From a Port

Hi,

How can I remove this command : aaa port-access 5 controlled-direction in ?

------------------------------
Glepers

Original Message:
Sent: Nov 08, 2019 11:27 AM
From: Phil M
Subject: Remove All AAA Config From a Port

We partially scripted it and just use this as a template:

 

no aaa port-access xxx mixed
no aaa port-access mac-based xxx
no aaa port-access authenticator xxx client-limit
no aaa port-access authenticator xxx
no port-security xxx
no spanning-tree xxx root-guard bpdu-protection
int xxx
name "xxx"
untagged vlan xx
ip source-lockdown
disable
enable
exit

 

TBB

Hi Emil_G,

Thanks, it's works.

------------------------------
Glepers
------------------------------

Original Message:
Sent: Oct 12, 2021 11:21 AM
From: Emil Gogushev
Subject: Remove All AAA Config From a Port

Hello,

Since the default setting for controlled-direction is "both", you can remove this line from the running config by setting it to both. However you should keep in mind that this setting can only be changed if the port still has authentication enabled on it. If the authentication was already removed the change will fail with the error "Port is not configured with any Authentication."

Here an example

 

Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction in

Aruba-Stack-3810M(config)# show run int 1/1

 

Running configuration:

 

interface 1/1

   untagged vlan 1

   aaa port-access mac-based

   aaa port-access controlled-direction in

   exit

 

Aruba-Stack-3810M(config)#

Aruba-Stack-3810M(config)# no aaa port-access mac-based 1/1

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

Port 1/1 is not configured with any Authentication.

 

You should first set the controlled direction to both and after that remove authentication from the port.  Here I am re-enabling mac-based authentication on the port

Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

And then I am able to set the controlled direction to the default setting of both and remove authentication.

Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

Aruba-Stack-3810M(config)# no aaa port-ac mac-based 1/1

Now the command is accepted and the port has the default configuration.

Aruba-Stack-3810M(config)# show run int 1/1

 

Running configuration:

 

interface 1/1

   untagged vlan 1

   exit

------------------------------
Emil Gogushev

Original Message:
Sent: Oct 12, 2021 07:58 AM
From: geoffrey Lepers
Subject: Remove All AAA Config From a Port

Hi,

How can I remove this command : aaa port-access 5 controlled-direction in ?

------------------------------
Glepers

Original Message:
Sent: Nov 08, 2019 11:27 AM
From: Phil M
Subject: Remove All AAA Config From a Port

We partially scripted it and just use this as a template:

 

no aaa port-access xxx mixed
no aaa port-access mac-based xxx
no aaa port-access authenticator xxx client-limit
no aaa port-access authenticator xxx
no port-security xxx
no spanning-tree xxx root-guard bpdu-protection
int xxx
name "xxx"
untagged vlan xx
ip source-lockdown
disable
enable
exit

 

TBB